Attacks/Breaches

2/11/2015
04:51 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
100%
0%

Microsoft Fix For Critical Active Directory Bug A Year In The Making

This critical Active Directory vuln along with two other particularly 'nasty' critical flaws have experts pushing organizations to pick up patching pace.

With a bundle of updates spread across nine bulletins, yesterday's Microsoft Patch Tuesday had the usual mix of critical and important vulnerabilities addressed. But on fix in particular stood out from the normal stock, as Microsoft rolled out an architectural revamp for JASBUG, a critical vulnerability that puts organizations using Active Directory at a big risk for remote exploitation that could put tens of millions of machines at risk of privilege escalation if left unpatched. The vulnerability itself is a root-level problem impacting core parts of Windows, which required serious engineering revamps from Microsoft that ultimately were a year in the making.

Put together with two other critical vulnerabilities fixed yesterday—one a cumulative update for Internet Explorer and the other problem in Kernel-Mode Driver —the update has some industry experts urging organizations to consider speeding up their update windows. This urgency highlights the difficulties some organizations will face now that Microsoft has ditched its Advance Notification Service.

"Now in month two of no advance notification from Microsoft and the change up in the exploitability index, it is quite challenging to determine exactly what Microsoft recommends for deployment and how best to get that done," says Russ Ernst, director of product management for Lumension. "It’s important IT know their environments well and weigh the updates according to severity and attack likelihood. Unfortunately, the 3 critical bulletins are nasty so it’s important to pay close attention."

As organizations sped to fix the issues in this round of fixes, they've not been met by smooth waters. According to early reports yesterday from SANS Internet Storm Center, there are a number of organizations who have been experiencing deployment problems, particularly around a patch for Visual Studio.

For its part, JASBUG is a vulnerability in group policy that "could allow remote code execution if an attacker convinces a user with a domain-configured system to connect to an attacker-controlled network," according to Microsoft's bulletin on the flaw. The vulnerability is a design flaw in the operating system, hence the extended time necessary to address it. Discovered by Jeff Schmidt, founder of JAS Global Advisors, the flaw required Microsoft to fix to fix how domain-configured systems connect to domain controllers.

"Many – if not most – information security problems have roots in identification and authentication subtleties," he wrote in a blog about the bug. "When software designers, implementers, and/or users don’t get identification and authentication right, things usually go awry.

According to Johannes Ullrich of SANS ISC, this "is a 'must apply' patch for any system traveling and connecting to untrusted networks."

Meanwhile, one of the other critical bulletins is for another flaw that could be used to commit remote code execution on most Windows versions via Kernel-Mode Driver. And the third critical problem was a big one for Internet Explorer, addressing over 41 CVEs. Included in this patch is the fix for ASLR bypass highlighted by iSIGHT research yesterday in its discovery announcement about Chinese-led watering hole attacks against Fortune.com.

"Workstations that frequently browse the internet are most at risk from these vulnerabilities. Due to the Enhanced Security Configuration mode that is enabled by default in server operating systems, servers are slightly more protected from some of these flaws," says Ryan Krause, vulnerability audit development manager for BeyondTrust. "Microsoft’s EMET software, when installed and configured to work with IE, also offers additional protection from many of these vulnerabilities. One additional note is that this update will also provide IE 11 users with additional security measures by disabling SSL 3.0 fallback attempts by default."

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
100%
0%
RyanSepe,
User Rank: Ninja
2/12/2015 | 8:22:53 AM
If it functions, don't patch.....WRONG!
I feel that many organizations exalt functionality of their applications above all else. As many times these applications are what bring in the revenue. Fear of breaking this dynamic halts many discussions of patching. However, if you have an efficient change management and patching process, then you will find patching to be effective, not only a security aspect but from a functionality perspective. Properly testing apps and patches before pushing into production will ensure that there is no downtime for apps, frameworks, and plug-ins during business hours and will decrease the overhead for letting potential updates stack.
12 Free, Ready-to-Use Security Tools
Steve Zurier, Freelance Writer,  10/12/2018
Most IT Security Pros Want to Change Jobs
Dark Reading Staff 10/12/2018
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.
CVE-2018-18375
PUBLISHED: 2018-10-16
goform/getProfileList in Orange AirBox Y858_FL_01.16_04 allows attackers to extract APN data (name, number, username, and password) via the rand parameter.
CVE-2018-18376
PUBLISHED: 2018-10-16
goform/getWlanClientInfo in Orange AirBox Y858_FL_01.16_04 allows remote attackers to discover information about currently connected devices (hostnames, IP addresses, MAC addresses, and connection time) via the rand parameter.